Koobface on the Loose as "flash_update.exe"

Social networking worms like the Koobface family are a reality, and their prevalence shows on our threatfire community. Users of facebook need to be aware that links appearing on friends’ facebook pages may be links to malware downloads. Now, no need to stop clicking on links or visiting friends’ pages. But just because a link is on a friend’s page does not mean that the content at that link can be unconditionally trusted.

Basically, if you click on a link at a friend’s profile, and your browser is redirected to a video page, do not download and run the executable when prompted. The consistent and malicious “flash_update.exe” is being prevented in high prevalence on a daily basis in our community. The little trick here is a twist on the need to update Adobe’s Flash Player. But if you need to update your Flash Player, just go to Adobe’s site and update it there. Here’s an example from a Koobface distribution site already taken down:

Running the “flash_update.exe” download results in all sorts of problems for the user, including potential modifications to their own Facebook profile, prompting for captcha breaks, and others. The immediate result is an error message, “Error installing Flash Update. Please contact support”.

In the infections we’re observing this morning, an executable resembling the name “bolivar28.exe” is dropped to the system drive and run.

Update: the dropped executables, named “bolivar26.exe, bolivar28.exe” and so on, are copies of the original flash_update.exe files. A quick analysis shows them to be similar in functionality to the captcha crack scheming binaries previously observed in the wild. Also interesting is that these files are worming through and attacking other social networking sites like myspace.com, blackplanet.com, friendster.com, and bebo.com, in addition to its namesake.

Today I got a Facebook message from one of my friends with a link to the Koobface movie page. The site referenced in the Facebook message link was a GeoCities page that redirects to a rotating set of zombie sites that run web servers on port 7777 and serve up flash_update.exe.

I didn’t run the update, but I saved it to see if AVG would recognize it as malware. It did not.